Exam CISSP topic 1 question 29 discussion

browser executed a script upon visiting a compromised websit A Cross-Site Request Forgery (CSRF) attack occurs when a malicious web site, email, blog, instant message, or program tricks an authenticated user's web browser into performing an unwanted action on a trusted site.

XXS: </sript> to load on browser

XSS happen on client side. CSRF happening on web server side.therefore Answer is C

Ignore my comment. I will go with C

Answer is D CSRF uses the authentication cookie. Cross site request forgery (CSRF) is a web application security attack that tricks a web browser into executing an unwanted action in an application to which a user is already logged in. The attack is also known as XSRF, Sea Surf or Session Riding.

XSS injects a malicious script into a vulnerable website in order to get a user's session cookies when they visit the compromised website. XSRF/CSRF on the other hand only targets the user directly, it does not compromise any website and does not get session cookies.

Definetely C.

C is correct answer. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. https://owasp.org/www-community/attacks/xss/ https://owasp.org/www-community/attacks/csrf

Correct answer is C - Cross-site script attack The attacker can compromise the session token by using malicious code or programs running at the client-side. The example shows how the attacker could use an XSS attack to steal the session token. If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run and complete the instructions made by the attacker. The example in figure 3 uses an XSS attack to show the cookie value of the current session; using the same technique it’s possible to create a specific JavaScript code that will send the cookie to the attacker. https://owasp.org/www-community/attacks/Session_hijacking_attack

Agree with C - If is a scrypt (JavaScript) in the browser. Def XSS.

its C, the stolen session cookie information part of the question is trying to trick you into picking CSRF

Answer C https://www.fortinet.com/resources/cyberglossary/cross-site-scripting